On a heavy forwarder, I have the following in the props and transforms files:
props.conf
[source::/opt/TJApplication/.../]
TRANSFORMS-null= setnull
transforms.conf
[setnull]
REGEX = (DEBUG|ERROR)
DEST_KEY = queue
FORMAT = nullQueue
Overall this works well to not ingest data from programs running in DEBUG or ERROR mode.
Then, I found another program running in debug mode. However, debug is all lower case. Here is the beginning of one of the events:
[Thu Nov 15 11:59:30 2018] [debug]
I changed the props.conf and transforms.conf as follows:
props.conf
[source::/opt/TJApplication/.../]
TRANSFORMS-null= setnull
[source::/usr/local/.../]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX = (DEBUG|debug|ERROR)
DEST_KEY = queue
FORMAT = nullQueue
But the [debug] data is not getting sent to the nullqueue.
Any suggestions?
How about you try to use case-insensitive for your regex? Something like this:
...
REGEX = (?i)(debug|error)
...
Maybe [source::/usr/local/.../] is wrong?
perhaps. I have modified the source as follows and will try that out:
[source::/usr/local/logs/.../*_log]
TRANSFORMS-null = setnull
Have you tried restarting Splunk after that change?
yes, I always bounce Splunk after making this type of change.